Re: Feature request: thresholds need another counter?

[Michael Boman <michael () ayeka dyndns org>]

On Wed, 2004-03-17 at 12:09, Paul Schmehl wrote:
> ----- Original Message ----- 
> From: "Jason Haar" <Jason.Haar () trimble co nz>
> To: <snort-users () lists sourceforge net>
> Sent: Tuesday, March 16, 2004 9:45 PM
> Subject: [Snort-users] Feature request: thresholds need another counter?
> >
>
> > I am in a dilemma. I want to move to thresholds so as to save my SQL
> > databases from collapse, and yet at the same time I don't like loosing the
> > details - such as what looks like  10 SLAMMER alerts @ 1 per minute was
> > actually 10,000,000 alerts - but threshold reduced it down.
> I guess my question would be, why should you care?  Case in point.  My rule
> for Nachi thresholds at, IIRC, 1000 alerts in a 60 second period.  If I'm
> getting that many alerts, I *know* it's Nachi.  I no longer have to wonder
> if it's something else.  Once I *know* that, why do I care if this
> particular instance sets off 250,000 alerts/hour whereas another infection
> sets of 125,000/hour?  The fact is, the alert has done its job, and I don't
> really need to know the precise numbers.
>
> There may be cases where this is not true, however, so I think there's some
> merit to your suggestion.  I'm just not sure how much.
> :-)

It's all about numbers when you try to grab more money or justify the
money you already spent. Being able to draw nice graphs for the reports
is one of the requirements in this process. If you don't have the
numbers it's quite hard to draw the graphs..

Especially when your thresholds says it was _at least_ X alerts in Y
time frame...

Just my .02$

-- 
Michael Boman

Attachment: signature.asc
Description: This is a digitally signed message part